The CNIL, the French data protection agency, is conducting an investigation into two separate data breaches that have affected almost half of the country’s population, the largest in French history. The breaches occurred at payment processors Viamedis and Almerys, which manage third-party payments for health insurance companies and together hold data for 33 million French citizens.
The breaches at the two firms occurred just five days apart. Viamedis’ general director revealed that the attack on their systems was initiated through a successful phishing attempt on an employee. Meanwhile, Almerys was breached through a portal used by health professionals.
According to EuroNews, Darren Williams, CEO and founder at BlackFog, stated that healthcare services and providers are frequently targeted due to the sensitive nature of the data they hold, combined with insufficient funding for cybersecurity solutions and practices. The personal data of 33 million people involved in this attack is significant, and the full extent of the damage caused is not yet known.
The stolen personally identifiable information (PII) includes details such as marital status, dates of birth, and national identification numbers, as well as the names of health insurers. Fortunately, sensitive information such as banking details, medical data, health reimbursements, addresses, telephone numbers, and emails were not accessed. However, the CNIL has advised policyholders to be cautious as follow-on attacks may occur.
In their announcement regarding the Viamedis/Almerys investigation, the CNIL warned policyholders to be wary of requests related to health cost reimbursements and to regularly monitor their accounts for any unusual activity. They also highlighted the possibility of the breached data being combined with information from previous data breaches for potential social engineering attacks.
Max Gannon, senior cyber threat intelligence analyst at Cofense, emphasized that a single employee falling for a phishing attempt was once again responsible for a cyberattack affecting millions. He stressed the importance of training employees across the company to improve cybersecurity defenses.
In conclusion, the data breaches at Viamedis and Almerys have raised concerns about the security of sensitive personal information in France. The investigation by the CNIL will likely provide valuable insights into the vulnerabilities that led to these breaches and the necessary steps to prevent future incidents. It is essential for businesses to prioritize cybersecurity training for their employees to mitigate the risk of falling victim to phishing attacks and other cyber threats.